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I. RESPONSE TO EXAMINER'S ARGUMENTS: 

A. Response to Examiner's assertion that Gillett teaches "the security 
domain comprising a subset of the set of organizations and the on-line 
stores associated with the organizations in the subset" as recited in 
claim 17. as discussed on page 7 of Examiner's Answer. 

The Examiner additionally cites column 8, lines 20-40 and 52-64 of Gillett as 
teaching "the security domain comprising a subset of the set of organizations and the 
on-line stores associated with the organizations in the subset" as recited in claim 17. 
Examiner's Answer, page 7. Appellants respectfully traverse. 

Gillett teaches that the online commerce architecture enables secure storage of 
customer-supplied commerce information at the ISP-hosted database by encrypting 
the information and ensuring that only the merchant can ultimately decrypt the 
information. Column 8, lines 54-58. 

Hence, Gillett teaches encrypting the customer-supplied commerce 
information and ensuring that only the merchant can ultimately decrypt the 
information. This is not related to a security domain comprising a subset of the set of 
organizations and the on-line stores associated with the organizations in the subset . 
In the context of one embodiment of the present invention, a security domain is a set 
of web pages for which users have a defined set of privileges. See Appellants' 
Specification, page 12, lines 12-13. The pending claims must be given their broadest 
reasonable interpretation consistent with the specification . In re Hyatt, 211 F.3d 
1367, 1372, 54 U.S.P.Q.2d 1664, 1667 (Fed. Cir. 2000); M.P.E.P. §2111. The 
broadest reasonable interpretation of the claims must also be consistent with the 
interpretation that those skilled in the art would reach . In re Cortright, 165 F.3d 
1353, 1359, 49 U.S.P.Q.2d 1464, 1468 (Fed. Cir. 1999); M.P.E.P. §2111. The 
Examiner's interpretation of a security domain is not reasonably consistent with the 
specification or consistent with the interpretation that those skilled in the art would 
reach. Hence, the Examiner has not presented a prima facie case of obviousness for 
rejecting claim 17. M.P.E.P. §2111. 
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B. Response to Examiner's assertion that Win teaches "granting or 
denying access to a user attempting to access a portion of the web site 
by determining the user identity for the user and determining; the 
access role associated with the user identity for the security domain 
corresponding to the portion of the web site subject to the access 
attempt" as recited in claim 17. as discussed on pages 7-8 of 
Examiner's Answer. 

The Examiner additionally cites column 8, lines 4-25, 28-61 of Win as 
teaching "granting or denying access to a user attempting to access a portion of the 
web site by determining the user identity for the user and determining the access role 
associated with the user identity for the security domain corresponding to the portion 
of the web site subject to the access attempt" as recited in claim 17. Examiner's 
Answer, page 8. Appellants respectfully traverse. 

Win instead teaches that runtime module 206 calls the authentication 
verification service to check whether an authenticated user is making the request. 
Column 8, lines 25-27. Win further teaches that an authenticated user is one who has 
successfully logged into the system. Column 8, lines 27-28. Furthermore, Win 
teaches that a user is considered authenticated if the request contains a "user cookie" 
that can be decrypted, and the request's IP address matches in the cookie. Column 8, 
lines 28-3 1 . Additionally, Win teaches that after the user has been authenticated in 
state 312, runtime module 206 calls the authorization verification service to check 
that the user has the right to access the protected resource. Column 8, lines 38-41. 

Hence, Win teaches determining whether an authenticated user is making the 
request. Win further teaches that a user is considered authenticated if the request 
contains a "user cookie" that can be decrypted, and the request's IP address matches in 
the cookie. Furthermore, Win teaches that after the user has been authenticated, the 
authorization verification service checks that the user has the right to access the 
protected resource. 

There is no language in the cited passages that teaches granting or denying 
access to a user attempting to access a portion of the web site by determining the user 
identity for the user and determining the access role associated with the user identity 
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for the security domain corresponding to the portion of the web site subject to the 
access attempt . The Examiner is ignoring claim language. Appellants are not simply 
claiming granting or denying access to a website. The Examiner is ignoring the 
aspects underlined above. Therefore, the Examiner's cited passages do not teach the 
above-cited claim limitations as asserted by the Examiner. 

C. Response to Examiner's assertion that Gillett teaches "to define the set 
of organizations as a tree structure" as recited in claims 20-22, as 
discussed on page 9 of Examiner's Answer. 

The Examiner additionally cites column 3, lines 28-55 of Gillett as teaching 
"to define the set of organizations as a tree structure" as recited in claims 20-22. 
Examiner's Answer, page 9. Appellants respectfully traverse. 

Gillett instead teaches that the merchant computers 24(1)-24(N), with the 
assistance of the ISP computer 28, create online stores that are merchant-owned, but 
physically hosted by the ISP computer 28. Column 3, lines 28-31. Further, Gillett 
teaches that the merchant uses a local web browser to remotely access the commerce 
server, and namely the store builder wizard, on the ISP computer 26. Column 3, lines 
45-47. 

Hence, Gillett teaches a merchant remotely accessing the commerce server on 
the ISP computer. 

There is no language in the cited passages that teaches defining the set of 
organizations as a tree structure . The Examiner suggests that merchants are leaves to 
a tree (see Examiner's Answer, page 9) but does not provide any evidence to support 
such a proposition. There is no language in Gillett that makes any discussion of a tree 
structure. The Examiner must provide a basis in fact and/or technical reasoning to 
support the assertion that Gillett necessarily teaches defining the set of organizations 
as a tree structure. Ex parte Levy, 17 U.S.P.Q.2d 1461, 1464 (Bd. Pat. App. & Inter. 
1990). That is, the Examiner must provide extrinsic evidence that must make clear 
that Gillett necessarily teaches defining the set of organizations as a tree structure, 
and that it would be so recognized by persons of ordinary skill. In re Robertson, 169 
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F.3d 743, 745 (Fed. Cir. 1999). Since the Examiner has not provided any such 
objective evidence, the Examiner has not presented a prima facie case of obviousness 
for rejecting claims 20-22. M.P.E.P. §2112. 

D. Response to Examiner's assertion that Gillett teaches "defining the 
security domain to include the selected organization and those 
organizations in the set that are descendants of the selected 
organization" as recited in claims 20-22, as discussed on page 9 of 
Examiner's Answer. 

The Examiner additionally cites column 8, lines 20-40 and 52-64 of Gillett as 
teaching "defining the security domain to include the selected organization and those 
organizations in the set that are descendants of the selected organization" as recited in 
claims 20-22. Examiner's Answer, page 9. Appellants respectfully traverse. 

Gillett instead teaches an online commerce architecture that enables 
merchants to setup online stores hosted by Internet service providers. Column 8, 
lines 52-54. Further, Gillett teaches that the merchant computer 24(1) checks the ISP 
database 34 to see if any purchase requests for the merchant's products have been 
received. Column 8, lines 20-23. 

Hence, Gillett teaches enabling merchants to setup online stores hosted by 
Internet service providers. Further, Gillett teaches that the merchant computer checks 
the ISP to see if any purchase requests for the merchant's products have been 
received. 

There is no language in Gillett that provides the basis for the Examiner to 
conclude that Gillett teaches the above-cited claim limitations. While Gillett teaches 
enabling merchants to setup online stores as well as allowing merchants to see if any 
purchase requests for their products have been received, there is no language in the 
cited passages that teaches defining the security domain to include the selected 
organization and those organizations in the set that are descendants of the selected 
organization . The pending claims must be given their broadest reasonable 
interpretation consistent with the specification . In re Hyatt, 211 F.3d 1367, 1372, 54 
U.S.P.Q.2d 1664, 1667 (Fed. Cir. 2000); M.P.E.P. §2111. The broadest reasonable 
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interpretation of the claims must also be consistent with the interpretation that those 
skilled in the art would reach . In re Cortright, 165 F.3d 1353, 1359, 49 U.S.P.Q.2d 
1464, 1468 (Fed. Cir. 1999); M.P.E.P. §2111. The Examiner's interpretation of the 
above-cited claim limitations is not consistent with the interpretation that those 
skilled in the art would reach. Hence, the Examiner has not presented a prima facie 
case of obviousness for rejecting claims 20-22. M.P.E.P. §2111. 

E. Response to Examiner's assertion that Examiner's reasoning for 
modifying Win with Gillett to include the missing claim limitations of 
claims 20-22 is sufficient to establish a prima facie case of 
obviousness, as discussed on page 1 1 of Examiner's Answer. 

The Examiner admits that Win does not teach "to define the set of 
organizations as a tree structure" as recited in claims 20-22. Office Action 
(6/20/2007), page 5; Office Action (10/26/2007), page 9. The Examiner asserts that 
Gillett teaches the above-cited missing limitation of claims 20-22. Id. The 
Examiner's reasoning for modifying Win with Gillett to include the above-cited claim 
limitation is "to set up online stores while having a centralized ISP provide the 
security and maintenance of the websites thereby diminishing the threat of misuse of 
information (Gillett, column 1 lines 35-62 and column 1 lines 1-15)." Examiner's 
Answer, page 11. The Examiner's reasoning is insufficient to establish a prima facie 
case of obviousness in rejecting claims 20-22. 

As stated above, the Examiner cites column 1, lines 1-15 and 35-62 of Gillett 
as support for the Examiner's reasoning for modifying Win with Gillett to include the 
missing claim limitation of claims 20-22. Gillett teaches that there is a need for an 
architecture that provides security at the ISP level to thereby reduce the exposure of 
ISPs to liability. Column 1, lines 59-62. There is no language in Gillett (and in 
particular column 1, lines 1-15 and 35-62) that makes any suggestion to define a set 
of organizations as a tree structure (missing claim limitation) in order to diminish the 
threat of misuse of information (Examiner's reasoning). The Examiner has cited to 
passages in Gillett that discusses the problems in the prior art and that there is a need 
in the art for an architecture that provides security at the ISP level to thereby reduce 
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the exposure of ISPs to liability. The Examiner has to provide some rational 
connection between the cited passages that is the source of the Examiner's reasoning 
and the missing claim limitation. The Examiner's source (column 1, lines 1-15 and 
35-62 of Gillett) for the Examiner's reasoning for modifying Win with Gillett to 
include the above-cited claim limitation does not provide reasons as to why one 
skilled in the art would modify Win to include the missing claim limitation of claims 
20-22. Accordingly, the Examiner has not presented a prima facie case of 
obviousness for rejecting claims 20-22. KSR International Co. v. Teleflex Inc., 82 
U.S.P.Q.2d 1385, 1396 (U.S. 2007). 

In response to Appellants' above argument, the Examiner points out that 
Gillett suggests that most merchants do not have the wherewithal to manage their 
websites and thus it is an advantage to offload those processes to an ISP. Office 
Action (10/26/2007), page 5. However, the teaching of using an Internet service 
provider (ISP) does not provide any reasons to define a set of organizations as a tree 
structure (missing claim limitation). Accordingly, the Examiner has not presented a 
prima facie case of obviousness for rejecting claims 20-22. KSR International Co. v. 
Teleflex Inc., 82 U.S.P.Q.2d 1385, 1396 (U.S. 2007). 

Further, Win addresses the problems of permitting rapid and convenient 
addition of information describing users and resources and propagating the effects of 
changes in the data model throughout the system. Column 2, lines 34-38. The 
Examiner has not provided any reasons as to why one skilled in the art would modify 
Win (which teaches permitting rapid and convenient addition of information 
describing users and resources and propagating the effects of changes in the data 
model throughout the system) to define a set of organizations as a tree structure 
(missing claim limitation). The Examiner's rationale ("to set up online stores while 
having a centralized ISP provide the security and maintenance of the websites thereby 
diminishing the threat of misuse of information'') does not provide such reasoning. 

Why would the reason to modify Win (whose purpose is to permit rapid and 
convenient addition of information describing users and resources and propagate the 
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effects of changes in the data model throughout the system) to define a set of 
organizations as a tree structure (missing claim limitation) be to diminish the threat of 
misuse of information? Win is not concerned with diminishing the threat of misuse of 
information. The Examiner cannot completely ignore the teachings of Win in 
concluding it would have been obvious to modify Win to include the missing claim 
limitation of claims 20-22. Further, what is the rational connection between 
diminishing the threat of misuse of information (Examiner's motivation) and defining 
a set of organizations as a tree structure (missing claim limitation)? 

Hence, the Examiner's rationale does not provide reasons that the skilled 
artisan, confronted with the same problems as the inventor and with no knowledge of 
the claimed invention, would modify Win to include the missing claim limitation of 
claims 20-22. Accordingly, the Examiner has not presented a prima facie case of 
obviousness for rejecting claims 20-22. KSR International Co. v. Teleflex Inc., 82 
U.S.P.Q.2d 1385, 1396 (U.S. 2007). 



Response to Examiner's asse 


rtion that Aull teaches "providing user 


identities with associated acct 


sss roles at user registration to the web 


site" as recited in claim 24. as 


discussed on pages 11-12 of Examiner's 


Answer. 



The Examiner additionally cites column 8, lines 60-67 and column 9, lines 5- 
15, 35-42 of Aull as teaching "providing user identities with associated access roles at 
user registration to the web site" as recited in claim 24. Examiner's Answer, page 12. 
Appellants respectfully traverse. 

Aull instead teaches that in operation 350, the registration web server 124 
notifies the user 132 of the availability of the role certificate. Column 9, lines 35-37. 
Aull further teaches that in operation 235, the user 132 accesses the registration web 
server 124 and provides a user signature certificate so that the registration web server 
124 may verify the user's identity. Column 9, lines 37-40. Furthermore, Aull teaches 
that once the user's identity is verified, processing proceeds to operation 240 where 
the user 132 is presented with a list of role certificates for which the user 132 is a role 
administrator. Column 9, lines 40-43. Aull additionally teaches that in operation 
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245, the user 132 selects the role certificate desired and thereafter, in operation 250, 
the role certificate is generated and transmitted to the user 132. Column 9, lines 43- 
46. 

Hence, Aull teaches that the user provides a user signature certificate so that 
the registration web server may verify the user's identity. Aull further teaches that 
once the user's identity is verified, the user is presented with a list of role certificates. 
Aull additionally teaches that after the user selects the role certificate desired, the role 
certificate is generated and transmitted to the user. 

There is no language in the cited passages that teaches providing user 
identities . Instead, Aull teaches the user providing a single user signature certificate. 
Further, there is no language in the cited passages that teaches providing user 
identities with associated access roles . Instead, Aull teaches that the user provides a 
user signature certificate, and, after the user's identity is verified, the user is presented 
with a list of role certificates. The signature certificate provided by the user in Aull is 
only a digital certificate which is used by the web server to verify the user's identity. 

Therefore, the Examiner's cited passages do not teach the above-cited claim 
limitation as asserted by the Examiner. 

G. Other matters raised by the Examiner. 

All other matters raised by the Examiner have been adequately addressed 
above and in Appellants' Appeal Brief (3/25/2008) and therefore will not be addressed 
herein for the sake of brevity. 
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II. CONCLUSION: 

For the reasons stated above and in Appellants' Appeal Brief (3/25/2008), 
Appellants respectfully assert that the rejections of claims 17-24 are in error. 
Appellants respectfully request reversal of the rejections and allowance of claims 17- 
24. 
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